Hello All
           I am forwarding one improved patch related with Fork
Bombing Attack. This patch prints a message (only once) which alerts
administrator/root user about fork bombing attack. I created this
patch to implement my idea of informing administrator about fork
bombing attack on his machine only once.
   This patch overcomes all drawbacks of my previous patch related
with fork bombing attack and helps administrator. added comments will
definitely help developers.

Regards
Anand


On 6/3/07, Daniel Hazelton <[EMAIL PROTECTED]> wrote:
On Sunday 03 June 2007 19:01:21 Nix wrote:
> On 1 Jun 2007, Jens Axboe told this:
> > I think Anand is assuming that because syslog may coalesce identical
> > messages into "repeated foo times" in the messages file, that it's not a
> > dos. That is of course wrong.
>
> Not all syslog daemons do that, anyway. (syslog-ng doesn't, for one.)

That syslog-ng doesn't coalesce repeated messages into a single line doesn't
make a difference. The printk_ratelimit stuff is supposed to make it very
hard to DOS a system by flooding syslog, but that doesn't mean its
impossible.

The point of this discussion was that having a part of the kernel log a
message about a fork-bomb was a very large whole that could be used to DOS a
system by flooding the syslog. (In fact, IIRC, the printk_ratelimit (and
somebody, please correct me if I'm wrong) stuff uses a ring buffer and
seriously spamming syslog, like the patch that spawned this thread would have
done, could cause you to lose potentially important messages)

DRH

Attachment: fork.patch
Description: Binary data

Reply via email to